440 F.Supp.3d 447
D. Maryland2020Background
- In 2018 Marriott disclosed a multi-year breach of the Starwood guest reservation database affecting hundreds of millions of guests; stolen data allegedly included names, contact info, passport numbers, payment card data and tools to decrypt cardholder data.
- Plaintiffs (bellwether consumer representatives from multiple states) allege Marriott failed to secure Starwood data pre- and post-acquisition, misrepresented its data-security practices, and delayed breach notice.
- Bellwether claims assert tort (negligence, negligence per se), contract (express and implied), and statutory (state consumer-protection, data-breach-notice and privacy statutes, UCL, GBL) causes of action under various state laws.
- Marriott moved to dismiss under Fed. R. Civ. P. 12(b)(1) and (6), arguing many plaintiffs lack Article III standing and that the substantive claims fail (economic loss rule, lack of legal duty, insufficient contract formation, failure to plead damages, and Rule 9(b) deficiencies).
- The court found all bellwether plaintiffs have standing (injury-in-fact: actual identity theft for some; imminent risk, mitigation costs, loss-of-value and benefit-of-the-bargain injuries for others) and denied most dismissal grounds, but dismissed Illinois negligence claims for lack of a recognized duty under Illinois law.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing (injury-in-fact) after data breach | Plaintiffs allege actual identity theft for some; for others imminent risk, mitigation costs, loss of PII value, and loss of benefit-of-the-bargain suffice | Threatened injury is speculative absent targeted misuse or actual misuse (Clapper/Beck) | Court: plaintiffs have standing — some allege actual misuse; others plausibly alleged non-speculative imminent risk and mitigation costs (distinguishing Beck; following Hutton) |
| Traceability of identity-theft harms to Marriott breach | Misuse (fraudulent charges/accounts) arose from Marriott-stored PII | Fraudulent accounts may require SSNs etc.; not necessarily traceable to Marriott | Court: traceability plausibly alleged; premature to dismiss on traceability without discovery |
| Negligence under Illinois law (duty/economic-loss rule) | Plaintiffs: injuries include non-economic aggravation and loss of PII value, independent duty to protect PII | Marriott: economic-loss rule bars tort recovery for purely economic harms; Illinois courts decline to recognize common-law duty to secure PII (Cooney) | Court: Illinois negligence dismissed — no recognized common-law duty under current Illinois law; economic-loss/duty issues reserved for Illinois courts |
| Contract claims (privacy policies as contracts) | Privacy statements created enforceable promises; providing PII and staying at hotels manifested acceptance | Defendants: plaintiffs didn’t read/accept policies; terms too indefinite | Court: denied dismissal — objective manifestations (use/stay/enrollment) plausibly form express or implied contracts with promises of reasonable security |
| Statutory/consumer-protection claims (MD PIPA, MD CPA, MI ITPA, CA UCL, NY GBL, GA negligence per se) | Plaintiffs: statutes and FTC Section 5 guidance supply duties; failures to secure and delayed notice violate statutes and amount to deceptive practices | Defendants: statutory texts limited (e.g., require security codes), FTC §5 not an ascertainable standard; Rule 9(b) | Court: denied dismissal on these claims — PIPA/ITPA and CPA/UCL/GBL claims adequately pleaded; GA negligence per se based on FTC §5 plausible given FTC/Wyndham precedent |
| Damages/particularity (Rule 9(b)) | Plaintiffs plead mitigation costs, overpayment, loss-of-value, actual fraudulent charges as damages; omissions pleaded with particulars and reliance | Defendants: no specific valuation, unreimbursed losses not shown, fraud pleading insufficient | Court: damages sufficiently pleaded for pleading stage; Rule 9(b) satisfied as to omissions-based consumer-protection claims |
Key Cases Cited
- Ashcroft v. Iqbal, 556 U.S. 662 (pleading standard: factual plausibility)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (standing for threatened future injury requires non-speculative chain of events)
- Beck v. McDonald, 848 F.3d 262 (4th Cir.) (data-breach standing: speculative increased risk insufficient absent targeting or misuse)
- Hutton v. Nat’l Bd. of Examiners in Optometry, 892 F.3d 613 (4th Cir.) (standing where plaintiffs alleged actual misuse and imminent risk; mitigation costs actionable)
- F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir.) (FTC §5 applies to inadequate cybersecurity; provides notice of unfairness standard)
- Moorman Mfg. Co. v. Nat’l Tank Co., 435 N.E.2d 443 (Ill.) (economic-loss rule; tort vs. contract boundary)
- Kwikset Corp. v. Superior Court, 246 P.3d 877 (Cal.) (UCL standing requires economic injury; benefit-of-the-bargain theory recognized)
- In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal.) (data-breach plaintiffs can allege benefit-of-the-bargain injury for UCL standing)
- In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F. Supp. 3d 1113 (N.D. Cal.) (loss-of-value of PII plausible injury)
- Congregation of the Passion, Holy Cross Province v. Touche Ross & Co., 636 N.E.2d 503 (Ill.) (independent duty exception to Moorman in professional-services context)